GlobalSign, a certificate authority (CA) based out of Belgium temporarily stopped issuing certificates. This action was taken in response to a message on Pastebin, in which the anonymous poster claimed the responsibility for the recent DigiNotar breach and singled out GlobalSign as another CA that he or she compromised.

According to GlobalSign's press release, the company is investigating the report and "decided to temporarily cease issuance of all Certificates" until it assesses the claim that its security was breached.

An ISC reader shared with us a response that GlobalSign provided to his company regarding this matter. In that message, the company explained that it paused the issuance of certificates to allow the systems to undergo a forensic audit while they are off-line. The company reportedly downplayed the risk of the existing active certificates being at risk, referring to its security practices that involve keeping the root CA off-line. Yet, with the intermediate CAs being on-line, the risk is there in a way that is similar to the DigiNotar scenario: An attacker may be able to use intermediate CAs to issue false certificates. This could also allow an attacker to spoof certs that have already been issued.

Note, however, that we have yet to see evidence of GlobalSign being compromised. The Pastebin notice might prove to be unauthentic or otherwise false. It's not uncommon for malicious hackers to put forth claims of conquest that later turned out to be unsubstantiated... just for LOLs.

-- Lenny

Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how to analyze and combat malware at SANS Institute. Lenny is active on Twitter and writes a daily security blog.